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SYSTEM AND METHOD FOR PROVIDING ACCESS TO A RESOURCE 

FIELD OF THE INVENTION 

5 The present disclosure relates to a system and method for providing access to a 

resource. More particularly, the disclosure relates to a system and method for simplifying 
the process with which an administrator facilitates this access. 

BACKGROUND OF THE INVENTION 

10 Oftentimes, service providers offer access to certain resources to remote clients in 

exchange for a fee. For instance, some service providers permit clients to access high 
speed computers maintained by the service provider for predetermined lengths of time to 
conduct computations that more conventional computers lack the capacity and/or speed to 
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complete efficiently. Typically, access is provided to the clients through various network 
connections. Therefore, for example, a client may send data (typically in packet form) to 
the service provider via the networks, and then receive the modified data resulting from 
the computations again via the networks. 
5 In order for data to travel between two or more networks, there must be an 

effective path between the networks. Typically, this path is selected jfrom multiple 
possible paths over a complex array of network devices (e.g., switches, routers, links, 
bridges, etc.). The nature of an effective path is normally dependent upon the various 
configurations of the network devices used in the two networks. These devices are 

10 arranged such that multiple possible paths exist so as to provide redundant 
communication paths, thereby increasing the likelihood that uninterrupted 
communications can be achieved. In the service provision scenario, however, critical 
gateways are normally used to create a single point of control over access to restricted 
resources so that greater security can be maintained by the service provider. In such a 

15 scenario, access to the resources basically equates to connectivity to the service provider 
network or networks that comprise these resources. In other words, to gain access is to 
become connected. 

Typically, the service provider uses several operators or administrators that 
provide connectivity, and therefore grant access, to the service provider resources. In that 
20 the various clients that access the resources may use different network configurations, the 
administrator must be able to facilitate connectivity for different types of networks. 
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Although connectivity can be provided for substantially any network configuration, the 
process of establishing this connectivity can be different for each. Therefore, the 
administrator must be trained to recognize the various network configurations of the 
clients and must be able to facilitate their connectivity. Unfortunately, it can be difficult 
5 for service providers to find, as well as retain, administrators with these skills. Even 
when such persons can be located and retained, their training and/or their salaries can be 
quite expensive. 

Although graphical user interfaces (GUIs) have been developed for simplifying 
the administrator's control over connectivity so that less skilled administrators can be 

10 utilized, existing GUIs distinguish between the different connectivity methods for the 
various network configurations. Therefore, the administrators still must know how to 
manipulate the GUI for each connectivity situation. In addition, in that the method used 
is normally different for each different network configuration, there are many 
opportunities for mistakes to be made by the administrator. 

15 From the foregoing, it can be appreciated that it would be desirable to have a 

simphfied system and method for controlling access to a resource. 

SUMMARY OF THE INVENTION 

The present disclosure relates to a method for providing access to a resource. The 
20 method comprises the steps of providing a graphical user interface (GUI) to an operator 
with which client connectivity with the resource is enabled, the GUI being configured 
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such that the process used by the operator to facihtate connectivity using the GUI is the 
same regardless of which underlying connectivity method is used, receiving commands of 
the operator with the GUI that convey the identity of the client and the resource to be 
accessed by the client, determining the client network configuration, and establishing 
5 client connectivity to the resource. 

In addition, the disclosure relates to a system for providing access to a resource. 
The system comprises means for providing a graphical user interface (GUI) to an operator 
with which client connectivity with the resource is enabled, the GUI being configured 
such that the process used by the operator to facilitate connectivity using the GUI is the 

10 same regardless of which underlying connectivity system is used, means for receiving 
commands of the operator with the GUI that convey the identity of the cHent and the 
resource to be accessed by the client, means for determining the client network 
configuration; and means for establishing client connectivity to the resource. 

Furthermore, the disclosure relates to a computer readable medium for providing 

15 access to a resource. The computer readable medium comprises logic configured to 
provide a graphical user interface (GUI) to an operator with which client connectivity to 
the resource is enabled, the GUI being configured such that the process used by the 
operator to facilitate connectivity using means the GUI is the same regardless of which 
underlying connectivity computer readable medium is used, logic configured to receive 

20 commands of the operator with the GUI that convey the identity of the client and the 
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resource to be accessed by the client, logic configured to determine the client network 
configuration, and logic configured to establish chent connectivity to the resource. 

Other systems, methods, features, and advantages of the invention will become 
apparent upon reading the following specification, when taken in conjunction with the 
5 accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention can be better mderstood with reference to the following drawings. 
The components in the drawings are not necessarily to scale, emphasis instead being placed 
1 0 upon clearly illustrating the principles of the present invention. 

FIG. 1 is a schematic view of a system for providing access to a resource. 

FIG. 2 is a schematic representation of a computing device shown in FIG. 1 . 

FIG. 3 is an example graphical user interface for use with the system shown in FIG. 

1. 

15 FIG. 4 is a flow diagram that illustrates operation of a control module identified in 

FIG. 2. 

FIG. 5 is a flow diagram that illustrates operation of a connectivity module 
identified in FIG. 2. 

FIG. 6 is an example correlation chart that can be used by the connectivity module 
20 identified in FIG. 2. 
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DETAILED DESCRIPTION 

Referring now in more detail to the drawings, in which Hke numerals indicate 
corresponding parts throughout the several views, FIG. 1 illustrates a system 100 for 
providing access to a resource. As indicated in FIG. 1, the system 100 can comprise several 
5 different networks including a service provider network 102, one or more client networks 
104, and a wide area network (WAN) 106 through which connectivity between the client 
networks and the service provider network can be established. Although a particular 
arrangement of networks is shown in FIG. 1, it is to be understood that this arrangement is 
merely exemplary in nature and that many other arrangements are feasible and could be 

10 used to facilitate connectivity. Moreover, although single networks are illustrated, persons 
having ordinary skill in the art will appreciate that one or more of these networks can 
comprise two or more sub-networks (i.e., subnets). As is discussed in more detail below, 
the configuration of the cUent networks 104 can vary such that different methods are 
required to establish connectivity between the individual client networks and the service 

1 5 provider network 1 02 . 

Also shown in FIG. 1 are one or more resources 108 that are connected to the 
service provider network 102 and that, under the control of the service provider, can be 
accessed by the various cHents. By way of example, these resources 108 can comprise high 
speed computers. It will be appreciated, however, that the resources 108 can comprise 

20 substantially any resource that a client may wish to remotely access and use. Connected to 
the client networks 104 are computing devices (e.g., servers) 110 that are used by the clients 
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to transmit data to and receive data from the service provider network 102 and, more 
particularly, one or more of the service provider resources 108. As indicated in FIG. 1, one 
or more such computiag devices 110 can be connected to each client network 104. Shown 
connected to the service provider network 102 and the WAN 106 is a service provider 
5 computing device 112 that, by way of example, can also comprise a server. As is described 
in detail below, the computing device 112 can be operated by a service provider 
administrator (or other person) so as to grant or deny clients access to the provider network 
102 and the resources 108 connected thereto. 

FIG. 2 is a schematic view illustrating an example architecture for the service 

10 provider computing device 112 shown in FIG. 1. As indicated in FIG. 2, the computing 
device 112 generally comprises a processing device 200, memory 202, at least one user 
interface device 204, and at least one network interface device 208, each of which is 
connected to a local interface 210 that, by way of example, comprises one or more 
internal and/or external buses. The processing device 200 comprises hardware for 

15 executing software that is stored in the memory 202 and can include, for example, a 
central processing unit (CPU) or an auxiliary processor among several processors 
associated with the computing device 1 12, a semiconductor based microprocessor (in the 
form of a microchip), or a macroprocessor. The memory 202 can include any one of 
combination of volatile memory elements {e.g., random access memory (RAM, such as 

20 DRAM, SRAM, etc.)) and nonvolatile memory elements {e.g., ROM, hard drive, tape. 
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CDROM, etc.). Moreover, the memory 202 can incorporate electronic, magnetic, optical, 
and/or other types of storage media. 

The one or more user interface devices 204 can include those tools normally used 
to communicate with a computing device such as a server including, for instance, a 
5 keyboard, mouse, and display. The one or more network interface devices 208 comprise 
the various hardware with which the computing device 112 transmits and receives data 
over the networks. By way of example, the network interface devices 208 can include a 
modulator/demodulator {e.g., modem), an RF or other transceiver, a telephonic interface, 
a bridge, a router, etc. 

10 As indicated in FIG. 2, the memory 202 comprises various software programs. In 

particular, the memory 202 includes an operating system 214, a control module 214, and 
a connectivity module 216. The operating system 214 controls the execution of other 
software, such as the control module 214 and connectivity module 216, and provides 
scheduling, input-output control, file and data management, memory management, and 

15 communication control and related services. As described in more detail below, the 
control module 214 is adapted to present the user {e.g., service provider administrator) 
with a graphical user interface (GUI) with which the user can operate the connectivity 
module 216 which facilitates cormectivity between the client networks 104 and the 
service provider resources 108. As described below, the GUI presented to the user is 

20 configured such that connectivity can be provided through the same on screen process, 
regardless of the client network configuration. Connectivity is attained by the 



HP Docket No. 10005039-1 



connectivity module 216 with reference to data stored in the connectivity database 218 of 
the memory 202. 

Various software has been described herein. It is to be understood that this software 
can be stored on any computer readable medium for use by or in connection with any 
5 computer related system or method. In the context of this document, a computer readable 
medium is an electronic, magnetic, optical, or other physical device or means that can 
contain or store a computer program for use by or in connection with a computer-related 
system or method. The software can be embodied in any computer-readable medium for 
use by or in connection with an instruction execution system, apparatus, or device, such 

10 as a computer-based system, processor-containing system, or other system that can fetch 
the instructions fi^om the instruction execution system, apparatus, or device and execute 
the instructions. In the context of this document, a "computer-readable medium" can be 
any means that can store, conununicate, propagate, or transport the software for use by or 
in connection with the instruction execution system, apparatus, or device. 

15 The computer readable medium can be, for example but not limited to, an 

electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, 
apparatus, device, or propagation medium. More specific examples (a nonexhaustive list) 
of the computer-readable medium include an electrical connection having one or more 
wires, a portable computer diskette, a random access memory (RAM), a read-only 

20 memory (ROM), an erasable programmable read-only memory (EPROM, EEPROM, or 
Flash memory), an optical fiber, and a portable compact disc read-only memory 
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(CDROM). Note that the computer-readable medium can even be paper or another 
suitable medium upon which a program is printed, as the program can be electronically 
captured, via for instance optical scanning of the paper or other medium, then compiled, 
interpreted or otherwise processed in a suitable maimer if necessary, and then stored in a 
5 computer memory. 

As identified above, it would be desirable for a user (e.g., service provider 
administrator) to have a tool with which connectivity can be established in a more simple 
manner irrespective of the configuration of the client network. More specifically, it would 
be desirable to have a tool with which connectivity can be established in an at least partially 

10 automated process such that highly skilled users are not needed. Such operation is provided 
by the control module 214 and connectivity module 216. The control module 214 generates 
an application that uses a control GUI that is operated by the user in the same manner 
regardless of the particular network configuration the client is using. An example GUI 300 
is shown in FIG. 3. This GUI 300 (entitled "VLAN Pilot") is used to enable connectivity 

15 for one or more clients. For instance, the GUI 300 can be used to construct virtual local 
area networks (VLANs) through with connectivity can be provided to one or more clients. 
Alternatively, the GUI 300 can provide similar connectivity without creating a VLAN by 
renumbering an existing but disconnected VLAN to a VLAN number for which 
connectivity was previously enabled. 

20 As indicated in FIG. 3, the GUI 300 can have a look and feel common to Windows- 

type software programs to present a famihar format to the user. The GUI 300 can include a 
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"Modify VLANs" folder 302 that is specifically configured for modifying the service 
provider formulated VLANs. Although other such folders can be provided, they are not 
shown or described herein as being beyond the scope of this disclosure. As depicted in FIG. 
3, the Modify VLANs folder 302 can comprise a "Customer" window 304 and a "Free 
5 Pool" window 306. As described below, the Customer window 304 is used to identify 
VLANs that have been created for particular clients, and to identify to which resources 
those clients have access. In the example configuration shown in FIG. 3, the Customer 
window includes a "VLANs" subwindow 308 that identifies the VLANs that have been 
created, and a "Resources" subwindow 310 that identifies the resources associated with the 

10 VLANs. In addition, the Customer window 304 can include a "New VLAN" button 312 
that, as is described below, is used to create new VLANs for clients. The "Free Pool" 
window 306 is used to identify the resources that are available for use by a client. By way 
of example, this window 306 can include a "Resources" subfolder 314 that includes a 
resoiarces subwindow 316 that lists the available resoiu-ces. 

15 FIG. 4 illustrates an example mode of operation of the control module 214 shown in 

FIG. 2. More particularly, FIG. 4 illustrates the maimer in which access to {i.e., 
connectivity with) one or more service provider resources 108 is controlled through 
manipulation of a GUI such as GUI 300. As indicated in block 400, the control module 214 
is first initiated and, as indicated in block 402, the control module presents the administrator 

20 with a control GUI, such as GUI 300. Once the GUI is presented, the control module 214 is 
prepared to receive connectivity instructions fi-om the administrator. If, for instance, a chent 
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contracts with the service provider for a predetermined duration of access to a resource 
(e.g., high speed computer), the administrator can be notified that client is to be provided 
with this access. 

At this point, the administrator can enable connectivity for the chent so the chent 
5 will be able to access the service provider resource(s). With reference to the example GUI 
300 shown in FIG. 3, the VLAN can be created by first selecting the New VLAN button 
312. Selection of this button 312 can generate a pop-up box (not shovm) in which the user 
can select a client, e.g., from a pull-down menu of the service provider's clients, for which a 
VLAN is to be created. Once the client is selected, the newly created VLAN can be 

10 displayed in the VLANs subwindow 308 under the name of the client. By way of example, 
FIG. 3 shows two client VLANs have been created, one for "Ghent 1" and another for 
"Client 2." Once the client VLAN has been "created" in this manner, the administrator can 
select the resources to which the chent will be given access. This can be accomplished by 
selecting resources fi-om the resources subwindow 316 and associating them with the 

1 5 particular client. For instance, the administrator can "drag" each desired resource from the 
resources subv^ndow 316 and "drop" them on the particular chent hsted in the VLANs 
subwindow 308. Persons having ordinary skill will appreciate that other typical GUI 
manipulations can be used, if desired. As indicated in FIG. 3, "Client 1" (highhghted) has 
been provided access to "Computer 1" as indicated in the Resources subwindow 310. 

20 With reference back to FIG. 4, the administrator selections are received, as indicated 

in block 404, either continually as they are entered or at once after all selections have been 
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made. In either case, the administrator selections are communicated by the control module 
214 to the connectivity module 216 such that the VLAN can actually be created for the 
client and connectivity estabhshed, as indicated in block 408. Preferably, this connectivity 
is established automatically under the control of various software contained within the 
5 connectivity module 216. FIG. 5 illustrates an example mode of operation of the 
connectivity module 216 in establishing this connectivity. As indicated in block 500, the 
connectivity module 216 is first initiated. Normally, such initiation occurs in response to 
the communication firom the control module 214 identified above. From this 
communication, the connectivity module 216 can identify who the client is and which 

1 0 resources are to be made available to the chent, as indicated in block 502. 

As mentioned above, it is important to know who the client is in facilitating 
connectivity in that each client may operate a differently configured network 104 and 
therefore may require a different connectivity method. In that, to maintain the simplicity of 
the GUI, the network configuration is not identified to the administrator, the connectivity 

15 module 216 must determine what network configuration the client uses, as indicated in 
block 504. With regard to FIG. 5, this determination can be made with reference to a 
correlation chart 600 stored within the connectivity database 218 which crosses the chent 
name (or a code associated with the chent) with the connectivity method used for the each 
client's network. 

20 Once the network configuration has been determined, connectivity can be 

established for the chent, as indicated in block 506. As is known in the art, a variety of 
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connectivity methods are currently available and many others are being developed. For 
instance, in a simplified arrangement, connectivity can be estabUshed by the generation of a 
problem ticket that is issued through a workflow management system to a human being 
that physically plugs the client connector into the appropriate access device {e.g., switch) 
5 to provide service to the client. In another arrangement, where the chent is statically 
connected to a VLAN switch port within the service provider network 102 and the VLAN 
switch is normally configured to isolate this client port, the VLAN switch can be 
reconfigured (e.g., through commands issued through a telnet connection or via simple 
network management protocol (SNMP) management traffic) so as to add the dedicated 

10 client port to the port-based VLAN to which the requested resources are already 
coimected. In an inverted variation of this arrangement, in the VLAN switch can be 
reconfigured so as to add all pertinent resources to the client's VLAN. 

In another example, one or more routing devices can be modified to enable 
routing between the client VLAN and the target resource(s). This can be accomplished, 

15 for instance, by creating static routing table entries that allow relevant protocols to route 
between the client VLAN and the various network addresses and protocol ports 
associated with the service provider resources. In yet a further example, where the static 
routing entries described above are permanently configured and service provider firewall 
devices are used, access control hsts (ACLs) in the firewall configuration can be modified 

20 to provide access. In a last example, instead of having a permanently established client 
port, an equivalent connection can be dynamically created. This dynamic connection 
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could either be a virtual private network (VPN) tunnel, an asynchronous transfer mode 
(ATM) virtual circuit, or some future technology for rapidly establishing a private 
connection. As will be appreciated by persons having ordinary skill in the art, myriad 
existing and yet to be created cormectivity methods may apply. Although several 
5 methods are explicitly noted herein, it is to be understood that the actual method used is 
not important. More important, however, is that, irrespective of the connectivity method 
used, manipulation of the GUI is the same for the administrator, thereby simplifying the 
administrator's task and reducing the likelihood of mistakes. 

Returning to decision element 410 of FIG. 4, it can then be determined if other 

10 selections are to be made by the administrator, e.g., to provide access to another chent. If 
so, flow returns to block 402 and connectivity is provided in similar manner to that 
described above. If not, flow is terminated. Once connectivity has been provided, the 
administrator can be notified as to this fact with the GUI, and the chent can use the 
resource 108 for the allotted amount of time. Once this time expires, withdrawal of 

15 connectivity can be automatic (i.e., connectivity is set to expire) or can be obtained by 
reversing the steps through which connectivity was provided. From the perspective of the 
administrator, this withdrawal of connectivity can be accomplished, for instance, by 
dragging resources away from the client (VLAN) or through other common methods of 
GUI manipulation (e.g., selection of an appropriate button, etc.). 

20 While particular embodiments of the invention have been disclosed in detail in the 

foregoing description and drawings for piuposes of example, it will be understood by those 



15 



HP Docket No. 10005039-1 



skilled in the art that variations and modifications thereof can be made without departing 
from the scope of the invention as set forth in the following claims. For instance, although 
the grant of access to the service provider resources is described as being controlled by a 
service provider administrator, it is to be appreciated that such control could be given to 
5 another operator, such as a chent administrator, if desired. In such a situation, however, 
operation is similar to that described above. 
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